New malware uses Windows EFS to stymie security researchers

Researchers from security vendor Symantec have discovered a new malware that makes use of the Encrypting File System feature in Windows in order to stymie forensic analysis. As its name suggests, EFS offers transparent file system level encryption to help businesses guard against data leakage to users without the correct system password.

The EFS protected malware continue to function normally when logged in, though attempting to access the same files from another system or operating system will reveal the encrypted gibberish. This can make things harder for security researchers attempting to study a badly compromised PC from another system.

"In some cases, security researchers may use another operating system, such as a version of Linux bootable from a removable drive, in order to retrieve malicious files from a compromised computer," explained security researcher Kazumasa Itabashi in a blog entry. "This method is useful when retrieving files from a computer compromised by a rootkit. However, it's impossible to get the file [malicious file] by this method because the DLL file is encrypted on the EFS."

Of course, it is hardly uncommon for malware writers to implement ways of avoiding detection and analysis. Indeed, botnets that use peer-to-peer networks to avoid detection have been around for some years now. Taken together though, the additional tricks can only make tracking down such malware harder for security researchers. Itabashi summed it up this way: "Not only is it trivial for program code to use EFS, it's also very effective at preventing forensic analysis from accessing the contents of the file."

Comments

Join 20,000+ Insiders

SIGN UP FOR OUR NEWSLETTER

FierceCIO:TechWatch is a twice-weekly IT news update that covers IT security, hardware and storage, networking, software and more. Join 20,000+ IT management professionals who get FierceCIO:TechWatch via email. Sign up today!

FierceCIO:TechWatch is a twice-weekly IT news update that covers IT security, hardware and storage, networking, software and more. Join 20,000+ IT management professionals who get FierceCIO:TechWatch via email.